Category Archives: Fedora

Linux tty auditing

Posted on by

Since RHEL 5.4, and in recent Fedora releases, it’s possible to audit what users type at their tty (command prompt), thanks to the work of Steve Grubb, a RedHat employee.

Edit /etc/pam.d/system-auth and append the following, but not both: 

session required pam_tty_audit.so disable=* enable=root
session required pam_tty_audit.so enable=*
Wait for users to log in and type into a terminal. Later, to see audited tty input, run: 
aureport --tty
When a user logs in, the pam module tells the kernel to enable tty auditing for a process and its children. All tty input is logged, but it may not be incredibly easy to read (it includes backspaces, control characters, etc.). I’m unclear as to when and how often the kernel flushes out accumulated tty input to the audit log. The records are identified with a type of TTY in /var/log/audit/audit.log.

In addition to tty auditing, RedHat patched their bash shell so that it neatly audits each and every command line it executes, with a record type of USER_TTY. It’s prettier to read than raw tty auditing — and it’s easy for a user to bypass by using a shell that doesn’t send its commands to the Linux audit system, like zsh, or a custom-built unpatched bash. Maybe that’s why “aureport –tty” doesn’t show USER_TTY records.

The Linux auditing system is powerful. It’s possible to write rules that watch for modification to certain files, or that log the use of certain system calls. See the “audit.rules” manpage for more information.

Gnome 3: Not quite ready for prime time

Posted on by

Just over a week ago, I installed Fedora 15. After using Gnome 3 for two days, I decided that I’m better off using Gnome 2, KDE or XFCE.

With Gnome 3, I like the ability to type the name of the application I want to run instead of hunting for it in a menu. This is a feature I’ve enjoyed for the past five years with Windows Vista, so it’s refreshing to finally have it appear in Gnome.

With Gnome 3, however, I miss the following:

  1. A system monitor applet. When my system starts to feel slow, I pay attention to CPU and I/O wait overhead.
  2. Multi-monitor support when changing workspaces. When I move to a new workspace, Gnome 3 only moves one of my two screens to a new workspace. The other stays the same.
  3. Quick launch icons. I use them for Firefox, gVim, Eclipse, and other frequently used apps.
I expect that Gnome 3 will be improved rapidly, and Fedora 16′s Gnome 3 will more productive.

Update: There’s a list of ways to tweak Gnome shell to make it almost bearable: http://forums.fedoraforum.org/showthread.php?t=263006. In particular, by installing and using “gnome-tweak-tool”.

Fedora 14, SSH ports and SELinux

Posted on by

SELinux in Fedora 14 is configured to constrain the ports on which SSH can listen (see the bug report). The solution: 

setsebool -P sshdforwardports 1
This allows SSH to listen on ports besides 22, and to forward ports. Reading the bug report is interesting. In my opinion, OpenSSH has an outstanding security track record, and we probably don’t need additional SELinux policy to constrain it. It’s probably wise to practice security in-depth (to have more than one line of defense), but it creates a large road bump for most SSH power users. From what I read, it sounds like most people still disable SELinux.

Miscellaneous Linux tips and tricks

Posted on by

Gnome Key Bindings and IntelliJ IDEA

IntelliJ IDEA key bindings conflict with Gnome’s window manager. In IDEA, I can type CTRL-B to jump to a symbol definition. Normally, I’d type CTRL-ALT-LEFTARROW to navigate back to where I had come from. Gnome’s MetaCity intercepts that key mapping before IDEA sees it, and tries to move my desktop to the left. There are several other Gnome/Metacity key bindings that conflict with IntelliJ IDEA. Rather than remap the keys in Gnome, I found that on Fedora, I could add the Windows key to the mix, and Gnome would ignore it, and pass it along to IDEA. This means that I can type CTRL-ALT-WINDOWS-LEFTARROW to navigate backward, and so forth.

Unfortunately, this doesn’t work in RHEL 5 and CentOS 5. The solution is to Go to the Gnome menu bar and select System > Preferences > Keyboard (not Keyboard Shortcuts). Then select the “Layout Options” tab, and expand the “Alt/Win key behavior”. Then I select “Super is mapped to the Win-keys”.

Every time I log in after that, Gnome tells me that my X keyboard settings conflict with my Gnome Keyboard settings, and it asks which I want to use. Selecting the Gnome settings is what I want.

Bandwidth limiting downloads with ‘curl’ or ‘wget’

When downloading a large file, it’s nice to be polite to others on the network, so I use the --limit-rate option for curl and wget:

  • curl -O --limit-rate 20k http://server.com/linux.iso
  • wget --limit-rate=20k http://server.com/linux.iso

GDB TUI (text user interface)

After starting gdb, it’s possible to switch to its text user interface with CTRL-X, CTRL-A. Typing it a second time exits TUI mode.

Vim C++ Auto completion with ctags

I appreciate full blown IDEs in Linux, but I like the quick start up time of vim. Until recently though, I didn’t have C++ auto completion (also known as vim omni completion).

This got me up and running, and was a great resource: http://vim.wikia.com/wiki/C%2B%2Bcodecompletion

This would have been useful if I was a new comer to vim and ctags: http://www.justlinux.com/nhf/Programming/IntroductiontoC_Programming.html

xdg-open, gnome-open, start, cygstart

How to easily open files and URLs from the command line http://www.dwheeler.com/essays/open-files-urls.html

  • Linux: xdg-open filename_or_URL
  • Linux: gnome-open filename_or_URL
  • Mac: open filename_or_URL
  • Windows: cmd /c start filename_or_URL
  • Cygwin: cygstart filename_or_URL

Nomachine NX and ALT-TAB

I use the Nomachine NX client from time to time to get a remote-desktop like connection to a remote Linux machine. It’s faster than VNC, but it suffers from not forwarding all of my keyboard shortcuts to the remote end of the connection.

Usually, I start the nxlcient from within a Gnome login session. Gnome happily grabs ALT-TAB before the NX client gets to see it. That’s not what I want. To work around this limitation, I log into a virtual terminal, and start X manually as follows:

Type CTRL-ALT-F2 Login Run: startx -- :1 gnome-terminal

From the gnome-terminal, run: nxclient

And then I connect to the remote machine in full screen mode. There’s no local window manager to interfere with my keyboard shortcuts.

Remote desktop and dual screens

I’ve been using Remote Desktop to connect to Windows XP, Vista and 7 machines. Until Windows 7, there was no way for a local computer having dual monitors to connect and have the remote end display across both monitors.

So I used linux’s ‘rdesktop’ program to do it:

rdesktop -0 -a16 -f -rdisk:CLIENT=/home/jared/Desktop -r sound remote.host.com

I notice that in Windows 7, there are some new options in the Remote Desktop client (mstsc.exe): /multimon and /span. Or run mstsc /? to list all possible options.

Editing windows registry files on Linux

Use Gedit: gedit --encoding=UTF-16LE myfile.reg

Gvim: LANG=UTF-16LE gvim myfile.reg

If already in gvim: :e! ++enc=utf-16le or :e ++enc=utf-16le myfile.reg

Convert, edit, convert:

iconv -f UTF-16LE -t utf-8 myfile.reg > myfile.reg.utf8

Edit myfile.reg.utf8, then convert it back

iconv -f utf-8 -t UTF-16LE myfile.reg.utf8 > myfile.reg

How Firefox opens files and mime types

I needed to give Firefox some extra help knowing how to open a custom file type with a custom application. Here’s some helpful information.

https://developer.mozilla.org/en/HowMozilladeterminesMIMETypes

Firefox uses mime.types on Linux, as well as other things. I helped Firefox by the mime type to the link in the generated HTML file. Either one of the following seems to work:

  • <a href=”file:subdir/file1.cst” type=”application/octet-stream”> open file </a>
  • <a href=”file:subdir/file1.cst” type=”application/x-extension-cst”> open file </a>

f-spot and sqlite

Posted on by

I recently tried using Linux f-spot, with the intent to make it easier to browse, manipulate, manage and publish my photos. I wanted f-spot to manage my photo screen saver as well. f-spot seems to be good at importing photos, but getting photos removed is a bit more difficult.

I organize my photos by date an a directory structure such as “2010/2010.01.01 New Years Day”. The “2010″ directory contains several sub directories. Each sub directory consists of a date and a description. If, for some reason, I import photos into f-spot that I don’t want in its database, I know what directory the photos pertain to. Unfortunately, F-spot doesn’t allow me to remove photos from its catalog by filename or file path. That’s okay though, because it stores its database using sqlite.

I figured this out by running lsof -p pid-of-f-spot, and noticed a file descriptor opened to “/home/jared/.config/f-spot/photos.db”. Then I ran file ~/.config/f-spot/photos.db and it helpfully told me that it is a “SQLite 3.x database”.

After a bit of google research, I figured out I could install a SQLite manager on my Fedora system: yum install -y sqliteman, followed by running sqliteman ~/.config/f-spot/photos.db. I was expecting to see a command-line client, but to my surprise, I found a pleasant graphical interface. It was simple to browse the table schema and to run queries to update and morph the f-spot photo database. Note: I’d recommend making a backup copy of the database before altering it.

F-spot may not be everything I want it to be, but I managed to work past its limitations due to the fact that it used a well known, open data storage format.

Using rsync with SELinux

Posted on by

Last week, I needed to move /home from one Fedora computer to another, and I used rsync over ssh move the data.

On the new system, I noticed that procmail didn’t seem to be working, and neither did Dovecot. Nor could apache serve up my files. This had all been working on my previous Fedora system, which was running SELinux, as was my new system. What had happened?

I hadn’t told rsync to bring across the SELinux file contexts, which are stored in extended attributes. Here is the rsync option I should have used:

-X, --xattrs

I could have used ‘tar’ to move my home directory as well. In that case, I would have needed one of the following options: --selinux or --xattrs

I resolved my SELinux issues using the excellent SETroubleShoot, which explained what commands to run to restore the proper SELinux contexts on various files.

SELinux requires time to tune, and I use it because it enhances the security of my linux system, which serves up content over HTTP (Apache), IMAP (dovecot) and CIFS (Samba).

Fedora 11 and Virtualization (KVM)

Posted on by

I’ve recently upgraded another computer from Fedora 9 to Fedora 11, and I’ve decided to try the built-in KVM (i.e. Applications -> System Tools -> Virtual Machine Manager). I wanted a virtual machine that had bridged mode networking, but it wasn’t available by default. To get it as an option, I disabled SELinux (not sure if it was necessary), followed some special instructions to setup a bridged interface, and restarted my network and libvirtd.

Now I’ve got a working guest OS inside of KVM, and I like it. The guest OS feels snappy and responsive.

Update: KVM and the accompanying tools aren’t as mature as VirtualBox or VMWare. E.g. I didn’t see how to get my USB flash drive to be recognized by a KVM guest OS. At one point, I tried to use VirtualBox at the same time as KVM. VirtualBox told me I needed to disable the KVM kernel module before using VirtualBox.

My impressions of Fedora 11

Posted on by

Here's my take on installing Fedora 11, which was released June 9, 2009. I chose not to do an upgrade as I often do. Instead, I did backup, followed by a fresh install, preserving my /home partition, but wiping out the other partitions. Then I used meld to restore my configuration files in /etc -- such as ssh server keys, printer settings and file system mounts. I found that I had to use the kernel boot option nomodeset in order to avoid system lockups. Overall, I've been pleased with my Fedora 11 experience, despite the bumps.

Fedora 11 useful resources:

Pre-install:

  • cp -a /etc /home/backup/etc
  • cp -a /root /home/backup/etc
  • backup /home
  • booted the LiveCD to make sure it would detect my hardware and run

Install

  • I decided to preserve my partition layout, which isn't the default option upon fresh install
  • Didn't delete my /home partition.
  • Reformatted all other partitions, with "/" as ext4

Post-install:

  • Had to enable eth0 in NetworkManager, and make "enabled" the default.
  • yum install -y meld nautilus-actions nautilus-open-terminal vim-X11 zsh screen mc rdesktop
  • meld /home/backup/etc /etc
    • Restored /etc/ssh settings
    • Restored /etc/cups printer settings
    • Checked /etc/fstab differences
  • Installed NX Server

Pleasurable:

  • Bootup is very pleasant, and seems faster. 30 seconds boot. 17 seconds login. 14 second shutdown. This is on an AMD Athlon 2400 Mhz Sempron with an ATI video card.
  • Artwork is top notch (backgrounds on login screen and default wallpaper)

Pain points:

  • Unavailable extensions for Thunderbird 3.0 -- Enigmail
  • Unavailable extensions for Firefox 3.5 -- Aardvark -- QuickProxy
  • Computer locked up every few hours until I added nomodeset to my kernel settings in /etc/grub.conf.

Gnome Slideshow Screensaver Sanity, Take 2

Posted on by

Last year, I wrote about how to achieve Gnome Slideshow Screensaver Sanity. I've recently upgraded to Fedora 11, and I noticed that GLSlideshow isn't installed by default (maybe it never was), and I wondered if I could alter the settings for gnome slideshow. By default, it uses pictures out of the $HOME/Pictures folder, and there's no way in the user interface to change that location, which can be frustrating. Here's how I worked around it. Note the use of the --location option, and that I changed my Name= setting.

  • cp /usr/share/applications/screensavers/personal-slideshow.desktop ~/.local/share/applications/my-slideshow.desktop
  • gedit ~/.local/share/applications/my-slideshow.desktop

[Desktop Entry]
Encoding=UTF-8
Name=Custom Photos
Exec=/usr/libexec/gnome-screensaver/slideshow --location=/home/images/Photos
TryExec=/usr/libexec/gnome-screensaver/slideshow
StartupNotify=false
Terminal=false
Type=Application
Categories=GNOME;Screensaver;
OnlyShowIn=GNOME;

Go into the screensaver preferences (System -> Preferences -> Screensaver), and select "Custom Photos". There's no way to customize the duration to display each photo, but at least I don't have to settle for Gnome's default location.

Fedora 10 lacks “wow” appeal; OpenSolaris 11

Posted on by

I upgraded one of my machines to Fedora 10 last month, and for me, this release lacks the “wow” appeal that other releases have had. A minor annoyance is that the keyboard repeat delay is broken for me and so far, there is no fix other than disabling keyboard repeat. On the plus side, Fedora 10 includes OpenOffice.org 3 and other new features. Be sure to check out the Common Issues people have experienced with Fedora 10.

The other day, a co-worker handed me an OpenSolaris 11 Live CD. I booted it, expecting to be underwhelmed like I was with the Solaris 10 JavaDesktop. I was pleasantly surprised, however. Sun’s “Nimbus” GNOME theme knocks the socks off of the boring Fedora window manager themes. The experience felt like I was running Linux. It was responsive, supported my newer hardware, and the system was built with GNU utilities on the command line so I get my favourite options to ‘ls’, ‘grep’, etc. It supported my NVidia card out-of-the box, and had Compiz eye-candy as an option. The only thing I missed (in my superficial test) was the familiar ‘yum’ and ‘rpm’ for package management. I suspect that if I used it from day to day, I’d find other things I miss. Does OpenSolaris support encrypted file systems? Does it have as much optional software as I can get with Fedora Extras?

I’ll keep my eye on OpenSolaris a little more closely in the future.